Home / Our Network / BGP & Routing / Routing Security

Routing Security

Last Updated: 2021-06-10


Here at Telia Carrier, we take our responsibility to secure Internet Routing very seriously. Through a mix of industry best practices, our systems, and well-crafted policies, we minimize the chances of common routing threats, including BGP Hijacks and Route Leaks.


In our efforts to improve Internet routing security, we have joined MANRS, which is a global initiative, supported by the Internet Society, that provides essential fixes to reduce the most common routing threats.

As part of our membership with MANRS, Telia Carrier commits to adhere to four concrete actions to reduce routing threats:

1. Filtering

2. Anti-Spoofing

3. Coordination

4. Global Validation

visit manrs

Have a look at the excellent MANRS observatory tool!


RPKI is a method to help prevent BGP hijacking and Route Leaks. It uses cryptographic signatures to validate that an ASN is allowed to announce a particular Prefix. Telia Carrier’s ASN, AS1299, has deployed RPKI Route Validation and Filtering. We reject RPKI Invalids on all BGP Sessions; for both Peers and Customers.

PLEASE NOTE: It is not our intention to do anything other than filter out Invalids – we will not be rejecting Unknowns. 

RPKI State Description Recommended Action 


Correct IP/masklength from the correct origin AS according to the ROA.

All good. No need to do anything.


No ROA registered.

We recommend customers to register ROAs to protect their address space but it's not required.


Incorrect masklength and/or origin AS according to the registered ROA.

The address space owner should correct the ROA.


We’ve been working hard on testing our validator infrastructure to ensure it is stable and scalable for a network of our size. In total, we have four validators deployed, two in North America and two in Europe, running two different versions of software. Each edge router has RTR sessions with each of the validators, giving us an extremely resilient deployment.


Useful Resources

Have a look at Telia Carrier’s BGP Looking Glass to see the status of learned prefixes.

Visit Looking Glass

RPKI Documentation Library - a great starting point on what RPKI is all about!

Visit Documentation Library

Look up validated ROAs

Visit the RPKI Validator

Analysis tool for more details on covering prefixes.

Visit the Analysis Tool



All eBGP Sessions have their filters automatically updated by our own “BGP Filter Server” Tool. This process runs twice daily; at 0700 and 2100 CET. For urgent updates needed between these times, customers can contact our Customer Service Center. A policy (AS or AS-set) registered in an IRR database is needed to build filters. We provision prefix filters by default and encourage customers to create and keep their IRR records updated.

The filter server mirrors in total 23 IRR databases. In case an AS-set exists in multiple database the default IRR query order is RADB, AFRINIC, RIPE, RIPE-NONAUTH, BELL, APNIC, NTTCOM, ALTDB, PANIX, NESTEGG, LEVEL3, LACNIC, REACH, AOLTW, OPENFACE, ARIN, ARIN-NONAUTH, JPIRR, HOST, RGNET, BBOI, TC and CANARIE. Route objects from all IRR sources will be candidates for prefix filters.


The Regional Internet Registries, AFRINIC, APNIC, ARIN, LACNIC, and RIPE, manage IP address allocations. All of these have an IRR where an operator that has received resources (AS numbers and IP addresses) from that RIR can register RPSL data (aut-num, as-set, and route-object). We recommend customers to maintain relevant RPSL information for their allocations in respective RIR.

We convert the Origin AS attribute from ARIN WHOIS network records and include them in our prefix filters.

All customers should have the ability to create relevant RPSL objects using a RIR. RADB is a commonly used IRR alternative, but ALTDB can also be used. All RIRs also have the option to create RPKI ROAs. We include ROA information (very similar to route-objects) in our prefix filters. In that way, we cover and can build prefix-filters for all IP addresses allocated across every region.

We encourage customers to follow the standards defined in MANRS regarding routing security, including filtering and maintaining database and contact information. More information can be found at https://www.manrs.org/